Privacy from the trenches

How the public are inured to data breaches

Common Topics

The recent string of high profile security breaches doesn't even hit the radar of the average user worried about the privacy of his personal information.

Sometimes the timing of events is off... ironically, painfully off. One of the best poets to come out of World War I was Wilfred Owen, a young, sensitive Englishman who went off to war at the age of 23. After several horrifying experiences (and remember, World War I introduced the world to chemical weapons, mass aerial bombardments of civilians, and wide-scale trench warfare), he spent time in a mental hospital for what we would now call Post-Traumatic Stress Disorder. There he met the poet Sigfried Sassoon, who encouraged him to focus his poetry on what Owen later termed "War, and the pity of War. The Poetry is in the pity."

After that, Owen's work matured into some of the most powerful anti-war poetry the English language has seen. Perhaps you remember this masterpiece from school, "Dulce et Decorum Est" (the title of which incorporates part of a longer quotation from the Roman poet Horace - "Dulce et decorum est pro patria mori" - which translates roughly as "It is sweet and decorous to die for your country"):

Bent double, like old beggars under sacks,
Knock-kneed, coughing like hags, we cursed through sludge,
Till on the haunting flares we turned our backs
And towards our distant rest began to trudge.
Men marched asleep. Many had lost their boots
But limped on, blood-shod. All went lame; all blind;
Drunk with fatigue; deaf even to the hoots
Of disappointed shells that dropped behind.

GAS! Gas! Quick, boys!-- An ecstasy of fumbling,
Fitting the clumsy helmets just in time;
But someone still was yelling out and stumbling
And floundering like a man in fire or lime.--
Dim, through the misty panes and thick green light
As under a green sea, I saw him drowning.

In all my dreams, before my helpless sight,
He plunges at me, guttering, choking, drowning.

If in some smothering dreams you too could pace
Behind the wagon that we flung him in,
And watch the white eyes writhing in his face,
His hanging face, like a devil's sick of sin;
If you could hear, at every jolt, the blood
Come gargling from the froth-corrupted lungs,
Obscene as cancer, bitter as the cud
Of vile, incurable sores on innocent tongues,--
My friend, you would not tell with such high zest
To children ardent for some desperate glory,
The old Lie: Dulce et decorum est
Pro patria mori.

Owen chose to return to the War in July 1918, even though he could have stayed at home, because he felt a duty to the men he commanded and fought alongside. In October he was awarded the Military Cross for bravery. On November 4, 1918, as he was leading his men in an attack across the Sambre canal in Ors, he was tragically killed. He was only 25 years old. In an event of supremely savage irony, the telegram informing his parents about his death reached them on November 11, 1918, the same day bells were tolling all over England announcing the end of the War.

I was thinking of bad timing (although, thankfully, without mortality involved) last week when a listserv I'm on received an email from one of our members. She was really concerned about. well, just read the email:

A co-worker forwarded this email to me, I went into the site and
input my information. Not only does it provide the visitor with your
name, home address and home telephone number, it also provides your
birth date in most instances, and offers the visitor the option of
PURCHASING your personal information for a cost of $100.

Logon to http://www.zabasearch.com, enter your name and home state. This site
gives personal and private information without your consent. If you
would like to have your name removed from their database, send an
email request to info at zabasearch.com requesting immediate removal.

Protect yourself!

Then I learned that a good friend's sister called him in a panic last week, freaking out because she just found out that you could type someone's name, city, and state in Google, and get as results her phone number, street address, a map to their home, and even satellite pictures of their house. She was really worried about this: what if a stalker could access that information? Why, he could come right to your house!

My response to both? A shrug of the shoulders, a tilt of the head, and the words "Aanh. You're worried about that stuff? That is so 1996!" I mean, to those of us who "do" technology, this is really old news. Maps to your house? Phone book lookups? Offers to make personal info available for a fee? Been there, done that. But it made me realize that there are a lot of folks who don't know about this stuff, and who still have the increasingly quaint idea that we have large areas of privacy in our modern, technologically-driven society.

Phone numbers online don't worry me. That's just convenience. Frankly, maps and satellite photos don't concern me either. More conveniences. And really, unless you're menaced by an incredibly moronic stalker, aren't paper maps still sold in every gas station in the country?

Now, the buying and selling of personal information is a greater concern, but again, anyone who wants to claim they're interested in employing me, or use some other simple form of social engineering, can contact credit agencies, banks, and a bewildering array of other institutions and acquire an impressive amount of data about me. Zabasearch, if it's even a real company and not some fly-by-night operation, is just automating the process and making a buck off of credulous customers.

No, if you really want to be concerned, worry about the data hemorrhages that have occurred -- apparently without any end in sight -- in the last few weeks.

At Boston College, a machine used for fund-raising is hacked. The personal data of up to 120,000 alumni, including Social Security Numbers, is compromised.

At California State University in Chico, a food service and housing computer is cracked. 59,000 people, including students, faculty, and staff, have their personal info, again including SSNs, stolen.

ChoicePoint, which has access to personal data about every adult in the USA, unintentionally made the private data about 145,000 folks available to thieves.

Bank of America saw the theft by aviation baggage handlers of data tapes containing credit card records of more than 1,000,000 US government employees, including Senators.

Tufts University (What is it with universities? Do these people ever lock anything down?) had a server used for fund-raising broken into, exposing the data of 106,000 alumni and donors.

LexisNexis just admitted that their databases were accessed 59 times using stolen passwords, and now have to notify 310,000 people that their data may have been taken.

And someone is worried that a map to his house can be found on Google?!

Where is all of this stolen data going? To professional thieves who are using it for identity theft, of course. We're not talking about some imagined stalker maybe using some publicly accessible maps and phone numbers to hypothetically harass you - we're talking about real, organized bands of criminals screwing up your credit rating, stealing gobs of money, disrupting economies worldwide, and causing general havoc, online and off. THAT is what people should worry about!

I hate to involve the government unless it's necessary, but I think something's got to give here. We can't rely on companies, schools, and organizations policing themselves. That's obviously a terrible failure. We need federal legislation to mandate that organizations that experience data thefts must notify those affected by the breach in a timely manner. As Mark Rasch stated earlier this week, recent legislation was passed that requires this for all financial institutions in the U.S., but all other companies are still off the hook. Right now, a few states have such a law -- California is one, which is why ChoicePoint even had to make its embarrassing revelation in the first place -- but there is no federal, all-encompassing requirement for anything but financial institutions (and even that law is very recent). This needs to change, and soon. Other states have proposed legislation, but it varies from state-to-state. A new federal law would be a great start. Right after that, a few class-action lawsuits against particularly egregious carelessness might also wake companies and schools up to the necessity of protecting data. Again, I don't like bringing in the lawyers, but to paraphrase the great Dr. Samuel Johnson, "Depend upon it, sir, when a man knows he is to be sued in a fortnight, it concentrates his mind wonderfully."

So why aren't people sending emails to lists about these data ruptures? Why aren't sisters calling brothers to express fear about LexisNexis, Tufts, and the other examples I gave?

I think there are a couple of reasons. First, I think that most people just don't know about these breaches, unless they're one of the lucky recipients of a letter from ChoicePoint or they read daily security news like the folks on SecurityFocus. Second, I think people feel fairly helpless when they hear about these break-ins. What can they do? As Bruce Schneier likes to point out, in the US, we don't own the data about us; instead, the folks who gathered the data about us own it. It's not like we can call up LexisNexis and request that they purge the information they have about us. But we can with Zabasearch! They say so right on their web site! (Riiiiiight)

Finally, I think that even when the media does report about these data thefts, most people are inured now to the occurrence. Remember when the first Internet Explorer flaws were reported back in 1996 or so? People flipped out! Now, new flaws come so fast and furious that most people just tune it out. Look at that list above -- after the third or fourth event, most people just tune it out.

In that way, it's a lot like war reporting. Whether talking about loss of privacy or even loss of life, at a certain point we become numbed to those overwhelming, chilling facts. Whether or not you're for or against the Iraq War, you have to admit that people are still dying, and the news media really doesn't seem to care anymore. After the first 1000 American deaths, what's there to say that people apparently watching TV safe at home want to hear? That is, unless you're the mother or father of someone like Wilfred Owen. Then the sad news is both the most important thing in the world, and the thing you never wanted to hear.

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.